Posted
by
BeauHDon Saturday March 04, 2017 @09:00AM
from the good-riddance dept.

An anonymous reader quotes a report from Ars Technica: The FCC in 2015 made it clear that voice service providers can offer call blocking tools to customers, but commissioners said at the time that more needed to be done about Caller ID spoofing. FCC Chairman Ajit Pai has now scheduled a preliminary vote for March 23 on new rules designed to solve the problem. "One particularly pernicious category of robocalls is spoofed robocalls -- i.e., robocalls where the caller ID is faked, hiding the caller's true identity," the proposal says. "Fraudsters bombard consumers' phones at all hours of the day with spoofed robocalls, which in some cases lure consumers into scams (e.g., when a caller claims to be collecting money owed to the Internal Revenue Service) or lead to identity theft." The proposed rules would let providers "block spoofed robocalls when the spoofed Caller ID can't possibly be valid." Providers would be able to block numbers that aren't valid under the North American Numbering Plan and block valid numbers that haven't been allocated to any phone company. They'd also be able to block valid numbers that have been allocated to a phone company but haven't been assigned to a subscriber. The proposal would also codify the FCC's previous guidance that phone companies can block calls when requested by the spoofed number's subscriber. The upcoming vote on March 23 is for a Notice of Proposed Rulemaking (NPRM), which means the rules won't take effect immediately. The FCC uses NPRMs to seek comment on proposals before issuing final rules.

That should include numbers from another country. Telephone exchanges worldwide are just special purpose computers, so there is no reason/excuse at all that numbers should not be passed onto another country.

Let's say I own Bob's National Grocery chain. My internal number is 888-555-1555. When I dial out, for privacy reasons, my number shows as the internal switchboard number - 888-555-2627 ("bobs" lol). This should not be a problem, as (1) my company owns this number and (2) it is answered. The issues here are two fold:

1. How do you determine the number I am advertising is mine? The answer here is simple - for numbers I advertise out from my phone switch, I must own these from the phone company I am peering with (first hop) or have some way to prove that I own those DIDs if I have multiple peering companies. Not a difficult hurdle to overcome.2. How do you determine the number I am advertising (assuming step #1 is valid) is a valid company or answered number? In the case of robocalls or spam, my company could prove I own a block - satisfying #1 above, but turn out to be a voicemail box that's full or a non-company-answered blank DID.

About 15 years ago, I played around with a company owned phone switch setup and found that ANY number I put to advertise outbound was picked up and relayed to the target's caller id. I made a few test calls to my cell phone to validate that this was possible and then promptly reverted back to the company's owned block.

All I can say is: Thank goodness and it's way about time that now in 2017 this might get done.

I see ppl complaining about collateral damage, e.g. legit uses for spoofing but I say screw it. It's not worth it. If you need those features or whatever find another way to do it. Spoofing needs to be stopped completely once and for all.

I would also like to see more actual enforcement against spammers. Would be great to read about them being locked up which is where they belong.

Likewise, a reason for me to ignore those calls. I understand what you say, but at this point, don't care.

This is all much too little, much too late. Over the years of being bombarded by this worthless crap, I've just reached the point where if you aren't in my address book on my phone, it won't even ring. For me and a lot of others, the telephone has been just about destroyed as a communications tool.

Olsoc's #2) above deals w/ your scenarios. If I get calls from my bank, credit cards or doctor, I do answer the call or call back. But I get a lot of calls from people who thought they were calling someone else, and also, robocalls have increased. I know that robocalls have emerged b'cos more people are afraid of being rebuffed on the phone - sometimes rudely, sometimes not, but if I get a robocall, I hang up. Most irritating are the robocalls that pretend to be a live person - the one where a female voice says, after a pause 'I'm sorry, I was talking to my husband' and then goes on to tell me about the cruise to FL. Which doesn't even make sense, given that 'she' was the one who called, not I

Robocalls have emerged because they are much cheaper and more consistent than cheap humans.

My point above is that as soon as you start ignoring calls you don't have whitelisted (literally or figuratively), your phone becomes pretty useless for getting a hold of you in the event of an emergency.

TEll me. Have you removed all of th ewhat if's from your life? What if someone calls to tell you that your parent's are dying in seconds while you are taking a shit? Or shower? You have a life-roof case so you can take your phone in the shower with you? spread any e.coli bacteria on your phone. that critical call might come in while you are trying to wipe the old butt.

And homie, the odds are very much the same.

Your maximum fear inculcation is exactly what happens to people when devices that should make

Those are the times when we need our phone to be answered the most. Our friends and family are not the ones crying wolf here, but they are the ones who will suffer if we allow ourselves to harden.

They will not be the only ones who suffer but I guess that is too bad because the phone companies turned phones into a means of SPAM delivery in the quest for money. The assumption that people answer their phone is no longer true whether they have one or not and if it gets bad enough, fewer will have them.

Actually, you're allowed to make a 'reasonable' number of phone calls, though after repeated refused or unanswered calls to friends & family members, you might be told you're going to have to wait a while unless you want to call someone like a law firm that's almost guaranteed to answer. The 'one phone call' meme is a Hollywood construct that would never survive legal challenge, though there's probably room to disagree about the definition of 'reasonable'.

I'd add a fourth rule: If it was important enough to call but not important enough to leave a voicemail telling me who you are and why you called, it probably wasn't important enough to make the call.

If I don't recognize the number, I don't answer. If you leave a voicemail that convinces me I should have answered, I get back to you pretty quickly. But answering the phone to talk to random strangers about whatever scam they're running has gone out the window for me the same way answering the door to ta

I have a two numbers for my business. I use VOIP for a number of reasons, mostly cost and flexibility.

I have a Toll Free (888) number, and a local number.

My numbers are with two different providers. The reason is that I started with just a toll free because it was not possible to get a local number. A few years later I found a different provider that has numbers for my area.

The provider of my Toll Free has cheaper outgoing calls, so I use them exclusively for outgoing calls.

If you have real sip transit this is normal. An outbound call from my PBX goes through a number of options to get the best method and shoves whatever CID info I want. Hells a PRI will do that same thing (the pre VOIP method anything bigger than a small office used).

Simple enough, adopt a same origin policy. Your phone provider(s) can allow you to spoof any number that is assigned to you as long as it comes from a line that is assigned to you. If you want/need a 3rd party to spoof a number assigned to you, just sign a document in blood (figuratively) that lines belonging to 3rd party represent you for the next x days.

The ONLY way to fix this problem is to completely supplant the exiting carrier system. FCC is too slow moving and the carriers have too much to lose in the way of revenue. There is no technical reason that each and every call cannot be instantly traced, the calling number be authenticated, and the abuse stopped. Any carrier can today prevent a customer from spoofing a number that they do not own. It would not take much more for carriers to pass messages along with the call setup signal to affirm the leg

Well, there is a reason, albeit not a good one. If you knew who they are you would never answer them.

Actually, that's a pretty good reason. Most of us stopped answering anonymous and unrecognized calls years ago, due to the likelihood such attempts at contact would be nuisance calls.

I run a local service company, and I'm obligated to answer the phone call when a local prefix shows up. Too often now, that winds up being an offer for a preapproved small business loan or a need to update my records for some such thing.

With robocalls able to mimic local phone exchanges, we're back in the wild, pre-caller ID days, and might as well have to answer every phone call... what are we? Savages?

Most of us stopped answering anonymous and unrecognized calls years ago

Indeed. Many people will take this to a logical extreme. My partner is a teacher and for a while she was a substitute teacher. This required her number to be listed with a myriad of people who she didn't recognise. For this she actually bought a second phone with a second SIM. She only ever answered unrecognised numbers on that phone which led to some hilarity when I was stuck in the bush without cell phone coverage but tried to collect call her from a payphone. She did answer her work phone but not her mai

This is a potentially dangerous consequence of this reckless behavior by telemarketers. I wonder what the social and economic impact has been over the years of all the un-answered phone calls by people assuming it was a telemarketer when it was in fact an important call that they should have taken, all because a few assholes want to abuse the system for their personal economic gain...

The only things that stink here are the fetid bias of the MSM and their complete lack of journalistic ethics and the Democrats lack of ethics of any kind (likely to be revealed in the coming weeks as the AG opens real investigations and begins criminal prosecutions).

Just to be clear, there was no lying involved with Jeff Sessions. Here are some facts without the liberal MSM spin machine shitting all over them:

Attorney General Jeff Sessions was asked under oath if he had ever had any contact with the Russia

Since you spent all 8 years screaming in terror at the black man in the white house was getting your guns and money and was making death panels to kill you in FEMA camps. Not to mention 8 years on a statement that there would be no agreements with the president and that everything would be done (and you did it) to stop anything being accomplished.

That is your "taking it like a man", and sure, you should expect us to return the favour and take it similarly.

No, it is not an example of good regulation, but then we wouldn't expect otherwise from Ajit Pai. He has no interest in protecting consumers, just in giving the impression of doing so -- and that's what this regulation will do. It only takes two seconds to realize that all the scammers have to do is change to spoofing real phone numbers instead, testing each number they plan to use once first to be sure it rings. Hey presto, no reduction in spam calls and possibly an increase in phantom rings.

As a lifelong conservative, I'll tell you what's wrong with this. It's going to allow providers to charge for another "service" that should actually be required of them. This isn't a political issue. It's a consumer issue that affects everyone, and unfortunately, the only deep pockets lobbying the FCC are those of the providers. Change this proposed regulation to a requirement, and we'll all be better served.

Under the current rules, providers are prohibited from doing this type of call filtering.

They'd like to (they have a shared database of provisioned numbers and who they belong to), but they aren't legally allowed to and still keep their common carrier status.

This wouldn't become a service they charge extra for. They'll do it just to reduce their own expenses in customer support and complaints. How effective it will be in the end is a different matter, but it's a trivial modification to make to their systems

That is an idiotic thing to say.
Said by a person that has never managed a large phone system. Changing your caller ID number has honest, useful purposes.

Bunch of calltakers and dispatchers calling out to customers to talk to people who have ordered cabs. Do we just use the 100 + random looking DIDs we have? No. Customers do not answer random numbers. We spoof every outgoing call from dispatchers and calltakers to our highly recognized 800 number.

I used no other comment other than yours.
I simply pointed out that a statement that you made, in your comment was wrong.
Specifically that there is no reason for a company to spoof a number.
Then you went off on how I was an idiot and arguing a strawman. I pointed out one thing, in your comment, that was, in fact, wrong. There was no strawman. I used nothing other than the single statement that YOU made. I pointed out that the statement was wrong and why it was. I did not speak of the regulation at all. O

I said nothing about the regulation. Only his statement that there is no reason to mask or spoof caller ID. The regulation has nothing to do with that statement. The statement was wrong and I showed exactly why a company may have a legitimate need to do it. Take you AC ass back to Fucksville, Mexico.

I understood that another person took up the fight.
and another.
I only defended my statement that aglider was fucking wrong. That is all. I made no arguments about the regulations or what they would effect (Although no regulation ever actually accomplishes what it sets out to). Ever.

the spoofing we are talking about here is making a number you don't own show up on the caller ID. you example is not effected. you ever hear of context? spoofing a number that you don't own. no spoofing should be allowed.

How exactly do you track that? The last enterprise phone system I ran, output Caller IDs depending on the extension and department multiple 800#s held by 2 different telecommunications providers and DIDs held by both AT&T and Verizon. Instead of trying to solve all problems by creating regulations and paperwork to hinder honest businesses, you could just put people in prison for being a bad actor,

there is an article about building a new airport in chicago. someone says "we don't need extra transportation" stupid then chimes in "yeah we do - you've apparently never driven a car in LA." people point out to you - the article is about a 3rd airport in chicago, not cars in LA. stupid says nuh-hun - he said "transportation" and cars in LA are transportation.

Except I only ever stated that there are reasons to spoof caller ID numbers. Nothing about the regulation. A

But why do YOU have to do this? Make it a service provided by your telco. You buy a block of 200 numbers and specify that they identify them as the inbound 800 number. Taking this function out of the hands of the end user and putting it under control of the people who regulator can get hold of should it be abused would go a long way to ending abuse. Or at least give law enforcement a telco employee that can be butt-raped in prison for the transgression.

The existing laws are followed. The problem with those laws is that the scope of the law is wrong. All of the current restrictions on Caller ID spoofing has a long list of asterisks behind it which prevents the FCC from doing anything despite the practice ticking off millions of people. The use of a new law would be to change the scope thus allowing prosecution for a wider variety of spoofed calls.

There should only be two options that are legal: for private citizens, they can chose to either block or unblock their ID (shows as their number or BLOCKED on caller ID). For businesses, your ID must show up as a number that you or your business legally owns, no blocking or spoofing allowed at all. So for example, doctors calling a patient back after hours on their personal cell could legally show as the main number for the doctors office, or blocked, since it is their personal cell if they don't want you

Note that this isn't a requirement to block ANYTHING - just an allowance. The free market will take care of that, with the good providers blocking bad robocalls and thereby gaining more subscribers through their positive customer service efforts.

Of course, this would also allow providers to block numbers that have been issuied by non-phone companies, I suppose, like Google and VoIP providers, so we can get that riff raff out of the system and start making sure you pay a real telecom provider for your servic

Unfortunately, that's a common fraud call now. You're told your card is being abused, you are given a number to call to follow up about the abuse, and the call number is used to collect your bank information and even passwords.

I've also received malformed numbers (like four or five digits, or just "1"), and name ID with no number. It is impossible for me to block those numbers with my telco's blocking (which limits me to 20 numbers anyhow) because I can't enter a malformed number.

I'm really surprised yet that they don't just generate a random number in the callee's area code for every call. Probably because it would require the manufacturer of their equipment to support that, or to actually understand open-source VoiP software b

On this topic I actually feel like I can trust Ajit Pai.After all, there is no big company making these robocalls, hence no big bribes for Ajit to collect.Should Verizon or AT&T ever start the practise however, I suspect Ajit will turn the ship around on a penny like he did with net neutrality.

There is one thing to be said for Ajit, he represent predictability and stability.

User modifiability of Caller ID was put in as a convenience for businesses which want to have all their phone numbers identify as the same identity. But it's such an inconvenience to everyone else that we will have no choice but to freeze caller identities to prevent criminal spoofing.

If they have multiple lines that terminate at the same building, an office PBX has been able to be set to one of them for outgoing calls for decades. VoIP can have the same. But cheap businesses don't like that, or even to show a fixed line number. They'd rather advertise some NGN that costs them $5/y that means they get paid cents on the minute for every incoming call.

User modifiability of Caller ID was put in as a convenience for businesses which want to have all their phone numbers identify as the same identity. But it's such an inconvenience to everyone else that we will have no choice but to freeze caller identities to prevent criminal spoofing.

I'm in good shape until they get my address book and can spoof the numbers of those who are in it.

And what do you do when a loved one is in an accident and the hospital or police are trying to call you to notify you Mr. Smarty pants? Your solution is not valid for the use case of the phone system... There is a valid reason for allowing in any phone that is calling yours, there is no valid reason not to have a trust/certificate system run by a non profit that ties to an actual number, an IP, a physical billing address and someone's drivers license. If you want to be anonymous, go online and use TOR fo

No, I grew up well before cell phones, and I remember the days of being completely disconnected. They weren't as great as you think. When I am out in the mountains fishing or hunting, I have no service and it is no big deal, but when I am at home, people and emergency services expect to be able to reach me.

When a call comes from a number I do not recognize, I just don't answer. Doesn't matter what it is. Once in a while if I am expecting a call I might answer an unrecognized number. Otherwise, let it go to voicemail.

If they leave a message and it is someone I want to talk to, I add them to my contacts and call them back

And if they robocall from the same number a few times, I add the number to the "ignore" list so I am not bothered by the sound of a ringing phone.

When a call comes from a number I do not recognize, I just don't answer. Doesn't matter what it is. Once in a while if I am expecting a call I might answer an unrecognized number. Otherwise, let it go to voicemail.

If they leave a message and it is someone I want to talk to, I add them to my contacts and call them back

And if they robocall from the same number a few times, I add the number to the "ignore" list so I am not bothered by the sound of a ringing phone.

A pretty good mode. Self defense against the phone Visigoths at the gates. I am really surprised that legitimate business interests haven't worked on curing this along time ago. These days, charitable organizations who rely on phone canvassing are included in the listing of calls that aren't answered, that political calls are psychologically associated with fix your PC scams, or the IRS scams, or whatever other scammy crap these criminals are promoting.

My father likes to tell me stories about when telemarketers or scammers call him on his home phone. However, I have been unable to convince him to get a cell phone. He doesn't like the idea of anyone being able to contact him at any time no matter where he is. "You know", I said, "you don't *HAVE* to answer the phone if you don't want to". He doesn't seem to grasp the concept of ignoring phone calls. I don't get it.

He doesn't seem to grasp the concept of ignoring phone calls. I don't get it.

It's a generational thing, one I had a hard time breaking myself of in fact. It's hard to explain, but when I was younger, a call wasn't normally an interruption or scam attempt. Every call was likely something that was legitimately needing attention.When I finally got rid of my AT&T land line, I had not received a single legitimate phone call on it for more than three years but received on average 9 calls a day, and never used

As soon as they start blocking the obviously forged numbers, then all the spammers will switch to forging real numbers. Then they'll have to switch to routing-based blocking. If the number is assigned to a Verizon customer, and the call isn't being routed in a manner that Verizon uses, drop it.

Of course, this means Verizon customers couldn't use VoIP robo-callers with their own number, at least without registering it in some database first. Those customers wouldn't like the extra step, so they'll complain and block the rule.

What we really need is some unforgeable authentication system. This would require some trusted authority to give a public/private key pair for each phone number, so that each call would be accompanied by digitally signed Caller ID. For most customers, this would be handled transparently by their provider. Verizon and the like could even charge a fee for providing keys for use with VoIP dialers. Of course, this would be a major change in how calls are handled, so it would likely take many years and lots of equipment upgrades.

This is what I have been calling for for a while now. It would also address the issue of SWATing using spoofed/VOIP systems to conceal the true callers ID. The bottom line is that if you want to be anonymous, go on the internet, but for the phone system, you never used to be able to conceal your ID and because of the use case of the phone system (EMS/Police/bomb squad etc.) we need to re-add the trust and accuracy of knowing who is calling.

--numbers that aren't valid under NANPA: foreign numbers and nonsensical numbers like 000-000-0000--valid numbers that haven't been allocated to any phone company: in NANPA's reserve (like bogons)--valid numbers that have been allocated to a phone company but haven't been assigned to a subscriber: in a carrier's reserve

which completely ignores all calls that spoof legit numbers that already belong to another entity, which is the most dangerous type of spoofing and the one that needs the most attention. "Hi, I'm from the IRS. See my number? I'm legit!"

--valid numbers that have been allocated to a phone company but haven't been assigned to a subscriber: in a carrier's reserve

First let me address your quote. We broke up Ma Bell and created CLECs remember? You can get a phone number from multiple carriers. Or to make it easy, Sprint has no idea what numbers I have registered from T-Mobile.

Now on to what really matters. When your attacker (lets call them what they really are) are coming from a foreign vpn using a legitimate US VOIP service what do you actually do? The VoIP service typically does terminate the account and moves on with their day. Now you have an entire call ce

No! No! No!
The only time I get a friendly call from a woman is when Heather, from Account Services, calls to offer me help on my credit card debt. I look forward to those calls every day. When I'm in a bad place, Heather calls and I say "Excuse me, I have to take this". And Heather is amazing. She really gets around. She calls from Maine one day and from Arizona the next. Once while talking to Heather on the office phone, she also called my cell. And a different number every time. Amazing woman, that Heather. Please don't take her away. Could it be I'm falling in love?

The phone companies limit the number of phone numbers that you can block from the end-user side. Why not let customers block an unlimited number of calls? You would still get one call but after that the number would be blocked.

Kidding aside, I have a cheapo ARM system with a caller ID modem and a DTMF decoder. If the number isn't one I've white listed, the DTMF board takes the call and asks for the 4 digit pin to be entered. If they give the correct one, the phone rings in the house. If they don't, they get a voice mail box which is really Dave Null.

My cell only rings for white listed numbers. Everything else goes to the voice mail box. Oh, yeah, I should probably delete some messages so folks can leave ne

The problem with ANI is depends on the originating entity being trustworthy. This is likely not the case with budget VoIP services. You could add some kind of digital certificate thingy to validate the initial entry into telephone routing, but what would you do with a blob of crypto on its own? Many caller ID devices use simple 2x16 LCD displays, if even that much.

This doesn't go far enough and won't catch scammers spoofing using a real, valid phone number to display on your caller ID. We need some kind of trust/certificate system tied to IP and real physical address/person. Once we have that, we can systematically block all callers who spoof their caller ID or otherwise try to mask or confuse their identity over the phone networks, and we can pass a law making it a federal crime to try to do so...

This should be changed from "let" to "require". There's no reason carriers should be putting these calls through. I'm already paying my provider a couple of fees for blocking things, and yet they still let shit through.

It's time to move on to more technical solutions. Specifically calls that are automatically encrypted and signed. Ones where you can be sure where they originated from. And I don't mean phones sharing private keys but rather a massive database like the DNS system where every phone is listed possibly multiple times.

It should be trivial to include not only a telephone number but also a pass key so that you can enable a person to call you but also be able to revoke that ability. Something like a 404 error

block sending the caller ID tones by the call originator, if detected disconnect. Require registration before allowing a trunkline of any sort to send a caller-ID that is not the one assigned to he trunkline. Covers ISDN PRI and T1 handily. Disallow calls from out of country to have a caller name other than International. Foreign call centers can deal with it. They want an exception, they apply to the FCC and register. Then they have to have the caller name for that trunk that matches their client.

The call only sends the number. The name is added by a database lookup by your phone provider. If the lookup doesn't get a hit, it uses the area code and prefix to provide a location. I expect that often means it's a spoofed number that hadn't been assigned, which is exactly the sort of thing this will block.

The worst are the ones that deliberately select a number in your own area code and local prefix; those are almost impossible to screen out because they look like a cellphone call from someone local.

That's the root of the problem that needs to be addressed and I think it's what most people mean by "spoofing" in this context. If your caller ID number isn't a number your company owns, we take you to a shallow grave and shoot you in the back of the head. Spoof numbers from within your company's phone number

I use Ring Central for one of my businesses, and it does everything you're asking for (except maybe the whitelist, I haven't looked into that because I've never needed it - but people "in the know' can hit an extension number to get through immediately.) My personal extension forwards to an IP phone at my desk and my mobile phone simultaneously.